tracking the progress of an sdl program: lessons from the gym
DESCRIPTION
This presentation is from the 29 June 2009 OWASP Minneapolis-St. Paul (MSP) chapter meeting. Cassio Goldschmidt of Symantec talked about defining consistent metrics for tracking security vulnerabilities throughout the security development lifecycle.TRANSCRIPT
![Page 1: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/1.jpg)
Tracking the Progress of an SDL Program
Lessons from the GymCassio Goldschmidt
June 29th, 2009
![Page 2: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/2.jpg)
2
Introduction
![Page 3: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/3.jpg)
3
Who am I?
Cassio Goldschmidt– Sr. Manager, Product Security
– Chapter Leader, OWASP Los Angeles
• Education– MBA, USC
– MS Software Engineering, SCU
– BS Computer Science, PUCRS
– Certified Software Sec. Lifecycle Professional – CSSLP, (ISC)2
• When I’m not in the office…– Volleyball (Indoor, Beach)
– Coding
– Gym…
![Page 4: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/4.jpg)
4
Typical Project Lifecycle
DESIGN CODE TEST SUPPORT
![Page 5: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/5.jpg)
5
How your workout looks like
Exercise: Pile Squat
Repetitions: 35
Weight: 20 lbs
May 13th Workout
Exercise: Barbell Squat
Repetitions: 35
Weight: 150 lbs
Exercise: Rev. Curl
Repetitions: 20
Weight: 25 lbs
![Page 6: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/6.jpg)
6
How your METRICS should look like
Exercise: Pile Squat
Repetitions: 35
Weight: 20 lbsMay 13
th Sec. Metrics
Exercise: Barbell Squat
Repetitions: 35
Weight: 150 lbs
Exercise: Rev. Curl
Repetitions: 20
Weight: 25 lbs
Exercise type:CWE
![Page 7: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/7.jpg)
7
How your METRICS should look like
CWE: 79 - XSS
Repetitions: 35
Weight: 20 lbsMay 13
th Sec. Metrics
Exercise: Barbell Squat
Repetitions: 35
Weight: 150 lbs
Exercise: Rev. Curl
Repetitions: 20
Weight: 25 lbs
Number of Reps:Number of Findings
![Page 8: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/8.jpg)
8
How your METRICS should look like
CWE: 79 - XSS
Findings: 10
Weight: 20 lbsMay 13
th Sec. Metrics
Exercise: Barbell Squat
Repetitions: 35
Weight: 150 lbs
Exercise: Rev. Curl
Repetitions: 20
Weight: 25 lbs
Exercise Intensity:CVSS
![Page 9: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/9.jpg)
9
How your METRICS should look like
CWE: 20 – Input Val
Findings: 1
CVSS: 8.6
May 13th Sec. Metrics
CWE: 79 - XSS
Findings: 3
CVSS:
CWE: 314
Findings: 1
CVSS: 2.3
DESIGN
Threat Model
TEST
Pen Test
Support
Vul. Mgmt
![Page 10: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/10.jpg)
Common Weakness Enumeration
![Page 11: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/11.jpg)
11
Common Weakness EnumerationWhat is it?
• A common language for describing software security weaknesses
• Maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS).
• Hierarchical– Each individual CWE represents a single vulnerability type
– Deeper levels of the tree provide a finer granularity
– Higher levels provide a broad overview of a vulnerability
![Page 12: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/12.jpg)
12
Common Weakness EnumerationPortion of CWE structure
![Page 13: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/13.jpg)
13
Common Weakness EnumerationWhat data is available for each CWE?
• Weakness description• Applicable platforms and programming languages• Common Consequences• Likelihood of Exploit• Coding Examples• Potential Mitigations• Related Attacks• Time of Introduction• Taxonomy Mapping
Link to CWE Page on XSS
![Page 14: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/14.jpg)
14
Common Weakness Enumeration How useful is this information?
Pie Chart showing the frequency of CWEsfound in penetration tests
![Page 15: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/15.jpg)
Common Vulnerability Scoring System
![Page 16: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/16.jpg)
16
• Objective (and “perfect enough”) metric• A universal way to convey vulnerability severity
– Can be used for competitive analysis
• CVSS score ranges between 0.0 and 10.0– Can be expressed as high, medium, low as well
• Composed of 3 vectors– Base
• Represents general vulnerability severity: Intrinsic and immutable
– Temporal• Time-dependent qualities of a vulnerability
– Environmental• Qualities of a vulnerability specific to a particular IT environment
Common Vulnerability Scoring System (CVSS)What is it?
![Page 17: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/17.jpg)
17
Common Vulnerability Scoring System (CVSS)BASE Vector
Access Vector
Access Complexity
Authenti…
Network High None
Adjacent Network
Medium Single Instance
Local Low Mult. Instances
Undefined Undefined Undefined
Confident… Integrity Availability
None None None
Partial Partial Partial
Complete Complete Complete
Undefined Undefined Undefined
Exploitability Impact
• Sample Score: 7.5• Sample Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)• Every CVSS score should be accompanied by the
corresponding vector
![Page 18: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/18.jpg)
18
Common Vulnerability Scoring System (CVSS)The Calculator
![Page 19: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/19.jpg)
Training and Metrics.
![Page 20: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/20.jpg)
20
Training and MetricsA special activity in the SDL
• Security training is what food is to a workout• Same workout metrics do not apply• Quality of your intake affects overall performance• Staff needs ongoing training
![Page 21: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/21.jpg)
21
Training and Metrics Security Learning Process
![Page 22: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/22.jpg)
22
Training and Metrics Security Learning ProcessUnderstand who is the audience
• Previous knowledge about secure coding and secure testing
• Programming languages in use• Supported platforms• Type of product
![Page 23: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/23.jpg)
23
Training and Metrics Security Learning Process
Train everyone involved in the SDL• Developers: Secure Coding, Threat Model• QA: Security Testing, Tools• Managers: Secure Development Lifecycle (also known as Symmunize)
![Page 24: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/24.jpg)
24
Training and Metrics Security Learning ProcessQuality Assurance - Capture the flag
• Use Beta software• Approximately 3 hours long• Top 3 finders receive prizes and are invited
to explain what techniques and tools they used to find the vulnerabilities to the rest of the group
![Page 25: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/25.jpg)
25
Training and Metrics Security Learning Process Pos Class Survey
• Anonymous• Metrics
• Class content • Instructor knowledge • Exercises
![Page 26: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/26.jpg)
26
Training and Metrics Security awareness is more than training
Knowledge Sharing Activities
Tech Exchanges
Cutting Edge
CTO Newsletter Articles
![Page 27: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/27.jpg)
Conclusions and final thoughts
![Page 28: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/28.jpg)
28
Why This Approach Makes Sense?
DESIGN CODE TEST SUPPORT
• Compare Apples to Apples• Quantify results in a meaningful way to “C” executives
– Past results can be used to explain impact of new findings
– Can be simplified to a number from 1-10 or semaphore (green, yellow and red).
– Can be used for competitive analysis• Harder to game CVSS• CWE can be easily mapped to different taxonomies
![Page 29: Tracking the Progress of an SDL Program: Lessons from the Gym](https://reader035.vdocuments.us/reader035/viewer/2022062617/54b966934a7959a4738b45d5/html5/thumbnails/29.jpg)
Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank You!
Cassio Goldschmidt